Security Basics mailing list archives
RE: passwords in asp pages
From: "Aditya, ALD [Aditya Lalit Deshmukh]" <aditya.deshmukh () online gateway technolabs net>
Date: Wed, 10 Mar 2004 15:51:22 +0530
I am new to security and I have no training in asp programming, so I am wondering if I am right in being scared of the following instance...
this fear is a wonderful thing, it prevents you from making silly mistakes because you double check any thing.
A IIS based website which has asp pages which contain plaintext passwords for credentials to an sql database on another machine. The passwords are in between <% %> so I assume that means they are only processed on the server and the user does not see them, and there do not seem to be any .inc files calling these pages. The server is also up to date with patches as far as I know.
there are many iis and windows bugs that make reading the explit or gain this info very eaisily, i dont know your network setup but in cases where i have to do something like this, i keep the sql server in another subnet and it has rules that allow only from the ip of the webserver and that too on the non std port ( not 1433 ) on which the sql server in running.... having passwords in plain text is really not good, use any algo like md5 to encrypt the passwd and use that in your program, also make it impossible for any one to replace this hash because if i can replace this hash, then i can compute the hash before hand and replace it on your server and know the password, since you are uning windows 2000, setup a ipsec vpn beteen the 2 computers and only allow secure communication and remove all the useless users and programs, ( in short harden the system, find thses inst on ms website )
when I said that they could be viewed if their source was viewed, by telling me that they would be only processed by the server itself, which still doesn't make me feel good at all.
there are tons and tons of bugs that allow you to view source code of any system or file. -aditya ________________________________________________________________________ Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- passwords in asp pages (Mar 09)
- Re: passwords in asp pages Michael Gale (Mar 10)
- RE: passwords in asp pages patrick (Mar 10)
- RE: passwords in asp pages Tiago Halm (Mar 10)
- RE: passwords in asp pages Aditya, ALD [Aditya Lalit Deshmukh] (Mar 10)
- Re: passwords in asp pages Chris Burton (Mar 10)
- <Possible follow-ups>
- RE: passwords in asp pages MARTIN M. Bénoni (Mar 10)
- RE: passwords in asp pages Mike (Mar 10)
- RE: passwords in asp pages Miller, Joe (Mar 11)
- RE: passwords in asp pages Michael Dunn (Mar 11)